0
0
PHPprogramming~20 mins

How SQL injection exploits unsafe queries in PHP - Practice Exercises

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
SQL Injection Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
Predict Output
intermediate
2:00remaining
What is the output of this PHP code with unsafe SQL query?

Consider this PHP code snippet that builds an SQL query unsafely using user input. What will be the output when the input is admin' -- ?

PHP
<?php
$user_input = "admin' -- ";
$query = "SELECT * FROM users WHERE username = '$user_input'";
echo $query;
?>
ASELECT * FROM users WHERE username = 'admin'' -- '
BSELECT * FROM users WHERE username = 'admin' --
CSELECT * FROM users WHERE username = 'admin -- '
DSELECT * FROM users WHERE username = 'admin\' -- '
Attempts:
2 left
💡 Hint

Look carefully at how the input is inserted directly into the query string.

🧠 Conceptual
intermediate
2:00remaining
Which part of this SQL query is vulnerable to injection?

Given this PHP code snippet, which part is the main cause of SQL injection vulnerability?

$query = "SELECT * FROM users WHERE username = '" . $_GET['user'] . "'";
AConcatenating user input directly into the query
BUsing double quotes for the query string
CUsing single quotes around the username
DNot using a semicolon at the end of the query
Attempts:
2 left
💡 Hint

Think about how user input is handled inside the query.

🔧 Debug
advanced
2:00remaining
What error occurs when this unsafe query is executed with input: ' OR 1=1 -- ?

Look at this PHP code snippet. What error or behavior will happen if the input is ' OR 1=1 -- ?

$input = "' OR 1=1 -- ";
$sql = "SELECT * FROM users WHERE username = '$input'";
$result = mysqli_query($conn, $sql);
APHP fatal error due to undefined variable
BSyntax error in SQL query
CEmpty result set returned
DThe query returns all rows from the users table
Attempts:
2 left
💡 Hint

Consider what the injected SQL code does inside the WHERE clause.

📝 Syntax
advanced
2:00remaining
Which option causes a syntax error in this unsafe SQL query?

Given this PHP code snippet, which option will cause a syntax error when executed?

$input = $_GET['input'];
$sql = "SELECT * FROM users WHERE username = '$input'";
Ainput = admin'; DROP TABLE users; --
Binput = admin" OR 1=1 --
Cinput = admin
Dinput = admin' OR '1'='1
Attempts:
2 left
💡 Hint

Look at how quotes are used and closed in the query string.

🚀 Application
expert
3:00remaining
How can an attacker exploit this unsafe query to bypass login?

Given this PHP login code snippet, how can an attacker craft the username input to bypass password verification?

$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
  echo 'Login successful';
} else {
  echo 'Login failed';
}
Ausername = admin' -- , password = anything
Busername = admin, password = ' OR '1'='1
Cusername = admin' OR '1'='1, password = anything
Dusername = admin, password = admin
Attempts:
2 left
💡 Hint

Think about how to make the WHERE clause always true by injecting SQL in username.